We have a use case which can utilise a CA hierarchy. On a site, there's a device (many) with many applications, and an office application.
Applications on the devices will communicate with each other on the same device, plus some applications on the device will communicate with the office application as well.
We will have a Site CA which signs the office app certificate.
We will also have a Device CA (signed by the site CA) for each device which signs the device app certificates.
What I'm not sure about is, if the device CA revokes a device application, how does the office application know about this revocation, since it doesn't appear in the Site CA CRL?
The main driver for wanting to adopt a CA hierarchy is to limit the effect of certificate revocation. Meaning, if a certificate is revoked, we want to have fewer devices we need to deploy the CRL to.
How would you advise this situation be addressed?
Is there another way we can setup our CAs and signing to assist in this situation, while limiting CRL deployments?
Thanks.